lacme/lacme, branch master Small ACME client written with process isolation and minimal privileges in mind Prepare new release v0.8.3. 2024-06-13T15:39:34+00:00 Guilhem Moulin guilhem@fripost.org 2024-06-13T15:39:34+00:00 ce6a95d172dbefd0e310c46e0a0d9c56d19e34ca 






Fix post-issuance validation logic.
2024-06-13T14:48:05+00:00

Guilhem Moulin
guilhem@fripost.org

2024-06-13T01:32:04+00:00

9cb882a468843bf8ce9598de8769d5baaaaae3ea

Rather than adding intermediates in the certificate bundle we now
validate the leaf certificate with intermediates as untrusted (used for
chain building only).  Only the root certificates are used as trust
anchor.

Not pining intermediate certificates anymore is in line with Let's
Encrypt's latest recommendations:

    Rotating the set of intermediates we issue from helps keep the
    Internet agile and more secure.  It encourages automation and
    efficiency, and discourages outdated practices like key pinning.
    “Key Pinning” is a practice in which clients — either ACME clients
    getting certificates for their site, or apps connecting to their own
    backend servers — decide to trust only a single issuing intermediate
    certificate rather than delegating trust to the system trust store.
    Updating pinned keys is a manual process, which leads to an
    increased risk of errors and potential business continuity failures.
    — https://letsencrypt.org/2024/03/19/new-intermediate-certificates:





Rather than adding intermediates in the certificate bundle we now
validate the leaf certificate with intermediates as untrusted (used for
chain building only).  Only the root certificates are used as trust
anchor.

Not pining intermediate certificates anymore is in line with Let's
Encrypt's latest recommendations:

    Rotating the set of intermediates we issue from helps keep the
    Internet agile and more secure.  It encourages automation and
    efficiency, and discourages outdated practices like key pinning.
    “Key Pinning” is a practice in which clients — either ACME clients
    getting certificates for their site, or apps connecting to their own
    backend servers — decide to trust only a single issuing intermediate
    certificate rather than delegating trust to the system trust store.
    Updating pinned keys is a manual process, which leads to an
    increased risk of errors and potential business continuity failures.
    — https://letsencrypt.org/2024/03/19/new-intermediate-certificates:







Pass `-in /dev/stdin` option to openssl(1) to avoid warning with recent versions.
2024-06-13T13:41:12+00:00

Guilhem Moulin
guilhem@fripost.org

2024-06-13T01:33:20+00:00

bf4d2d13ffcd894c6e7765dbd366f1163c69c9e1

OpenSSL 3.2 from Debian sid spews

    Warning: Reading certificate from stdin since no -in or -new option is given

without an explicit `-in /dev/stdin`.





OpenSSL 3.2 from Debian sid spews

    Warning: Reading certificate from stdin since no -in or -new option is given

without an explicit `-in /dev/stdin`.







Prepare new release v0.8.2.
2023-04-25T18:06:22+00:00

Guilhem Moulin
guilhem@fripost.org

2023-04-25T18:06:22+00:00

c80a2530eb014b34a314e078fec2589bc7969e33












Prepare new release v0.8.1.
2023-01-25T02:23:51+00:00

Guilhem Moulin
guilhem@fripost.org

2023-01-25T02:23:51+00:00

b3af3526b293f396da02a6276ea86ca17dcd2d03












lacme: pass a temporary JSON file with the client configuration to the internal client.
2021-02-25T09:30:22+00:00

Guilhem Moulin
guilhem@fripost.org

2021-02-25T00:41:59+00:00

9a8f705eddd18ccc9a24fe0e7efe6b5a87b2be09

So it doesn't have to parse the INI file again.  Also, while lacme.conf
is world-readable by default, one might restrict permissions and add
private information in there, not realizing that everything, including
comments, will be readable by the client.





So it doesn't have to parse the INI file again.  Also, while lacme.conf
is world-readable by default, one might restrict permissions and add
private information in there, not realizing that everything, including
comments, will be readable by the client.







lacme: split certificates using Net::SSLeay::PEM_* instead of calling openssl.
2021-02-24T23:37:17+00:00

Guilhem Moulin
guilhem@fripost.org

2021-02-24T23:30:37+00:00

f09c95ea97c9bdee92f7c7622689aed540373a73












lacme: improve install_cert()'s handling of temporary files.
2021-02-24T20:56:10+00:00

Guilhem Moulin
guilhem@fripost.org

2021-02-24T20:50:11+00:00

491998131f18d136ca37f15898d07062ad7a1fae












lacme: Return an error when the 'mode'/'chown' isn't a number.
2021-02-24T20:32:06+00:00

Guilhem Moulin
guilhem@fripost.org

2021-02-24T20:28:31+00:00

ea5a51ecaa72c8277b4f878cf3635025d757fa37

oct("foobar") is 0, definitely not what we want.





oct("foobar") is 0, definitely not what we want.







lacme: Add 'owner' resp. 'mode' as (prefered) alias for 'chown' resp. 'chmod'.
2021-02-24T20:32:06+00:00

Guilhem Moulin
guilhem@fripost.org

2021-02-24T20:24:13+00:00

c6a4aaa6128d55ba5f7f3cd2bd75f789f69ae407